Description
The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.
Published: 2026-01-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Disclosure
Action: Patch Now
AI Analysis

Impact

The vulnerability in the Quiz and Survey Master plugin results from missing capability and status checks on several functions. This oversight allows any visitor, including unauthenticated users, to retrieve full details of unpublished, private, or password‑protected quizzes and to submit arbitrary file responses to quiz questions. The exposed quiz content and the ability to upload files can lead to data disclosure and potential malicious payload delivery.

Affected Systems

The issue affects all installations of ExpressTech’s Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker from version 10.3.1 backward. Any WordPress site that has the plugin enabled and has not applied the latest patch is vulnerable. The problem is confined to the plugin within the WordPress environment; no other WordPress components are directly impacted.

Risk and Exploitability

The CVSS v3.1 base score of 6.5 reflects a moderate level of severity, and the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not catalogued in the CISA KEV. Attackers can likely exploit the flaw by requesting quiz data or uploading files through the plugin’s publicly reachable endpoints, as no authorization is enforced. Successful exploitation would compromise the confidentiality of quiz content and could allow the storage of malicious files on the server, presenting integrity and resource‑exhaustion risks.

Generated by OpenCVE AI on April 22, 2026 at 03:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest QSM plugin release that includes the missing capability and status checks.
  • If an update cannot be applied immediately, block or protect the plugin’s public upload and data‑retrieval endpoints by implementing a web‑application firewall rule or by limiting access to authorized user roles through .htaccess.
  • Configure WordPress and the QSM plugin to restrict the types of files that can be uploaded, and ensure all uploads are scanned for malware before being accepted.

Generated by OpenCVE AI on April 22, 2026 at 03:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:expresstech:quiz_and_survey_master:*:*:*:*:*:wordpress:*:*

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress
Vendors & Products Expresstech
Expresstech quiz And Survey Master
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Quiz and Survey Master (QSM) – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability and status checks on multiple functions in all versions up to, and including, 10.3.1. This makes it possible for unauthenticated attackers to view the details of unpublished, private, or password-protected quizzes, as well as submit file responses to questions from those quizzes, which allow file upload.
Title Quiz and Survey Master (QSM) <= 10.3.1 - Missing Authorization to Unpublished, Private And Password-Protected Quiz Information Disclosure And Image Response Uploads
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Expresstech Quiz And Survey Master
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:05:18.153Z

Reserved: 2025-08-28T20:48:10.672Z

Link: CVE-2025-9637

cve-icon Vulnrichment

Updated: 2026-01-06T14:19:06.752Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-06T10:15:48.940

Modified: 2026-01-09T13:25:57.263

Link: CVE-2025-9637

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T04:00:07Z

Weaknesses